NEWSLETTER: Norms of Behaviour for Cyberspace

Norms surround us everywhere every day, do we like it or not. These norms may be different in nature (legal, political, social, ethical, etc), authority (e.g. legally binding, legally non-binding), and scope (national, regional, global). Also, they develop in time and can vary significantly in different geographical regions. Despite these differences, the common characteristic of all norms is that they reflect expectations for certain behaviour.

Norms of behaviour for States become especially relevant in time of insecurity and damaged trust between nations, and particularly in cyberspace, where the unique attributes to networked technology may result in State practice outdistancing the agreed principles of the governing legal regime. With regard to international stability and State behaviour in cyberspace, political and legal norms play the biggest role, this also being reflected by numerous ongoing discussions on the role and need for cyber norms that are being held between States in different international forums. Examples include the United Nations Group of Governmental Experts, and their 2013 report that included “Recommendations on norms, rules and principles of responsible behaviour by States”, a set of confidence building measures agreed in the OSCE that are widely seen as a possible bases for building trust needed for agreeing on further norms of behaviour, and the London conferences process that was initially aiming at agreeing on general “rules for the road” for cyberspace.

Yet these debates and initiatives have all been hindered by a lack of consensus, not simply on the scope and authority of norms in cyber space but on their very possibility. While most States agree that cyber norms as such are needed, and States clearly express their support to agreeing on such norms, little attention has been paid to asking what do States mean when they discuss norms, moreover, what are cyber norms? What is a norm? How are cyber norms articulated, agreed and implemented? By whom? When does certain behaviour become a norm? When is a norm effective? Do we need new norms or are we looking at interpreting existing ones? What are the operative characteristics of cyber space which must be considered when seeking common standards of international behaviour? And what is the relationship between political and legal norms; are the first of these the condition, or the consequence of the latter?

Firmly believing that these questions need to be discussed before moving on to substantially outlining cyber norms of behaviour, the Centre is undertaking a project on “Cyber Norms Development” that tackles these matters from both legal and international relations’ perspectives. The project consists of two workshops and a study to be published by the end of 2014.

The first workshop on “Cyber Norms & International Relations” took place in Stockholm in April and brought together an impressive list of experts, focusing on discussing what a political norm is and what are the relevant aspects and actors to be kept in mind when seeking to find a consensus between States. The workshop was organised in three parts – Abstract, Action and Agency – each following a set of guiding questions and tackling specific matters from different angles. Whilst generally agreeing on the need of norms in cyber space, one of the conclusions of the workshop was echoed in an understanding that we are currently missing a uniform approach to what is a norm, what are the principle aspects influencing the emergence of norms and what is their source of authority. The workshop concluded that “a norm” in international relations may signify agreements between the States with varying degree of bindingness, and the biggest obstacle in agreeing on norms is overcoming political and ideological differences as well as identifying a neutral process and platform for taking these discussions further.

The second workshop on “Cyber Norm Development” was held in Tallinn in June as part of the CyCon conference and took a wider approach to cyber norms. The workshop put side by side legal, political and social norms and how they affect behaviour of both States and individuals. It was put forward that “norm” as such is a generic term, the exact meaning of which depends on the context it is being employed in. Importantly, the different perspectives of norms should not be seen in isolation but rather as supporting one another, keeping in mind that various types of norms convey different purposes. For example, whereas from the legal perspective it is very important to have a clear view on what is permissible and what not for State behaviour in cyberspace, international relations’ approach may find certain normative ambiguity useful. Social norms, on the other hand, while not being directly related to State behaviour, pinpoint at the sometimes grave differences between established legal norms and individual behaviour. The latter also underlines the reality of differences in political statements and actual State practice. Among other aspects, the experts deliberated that even though international legal norms may be viewed as central for guiding States’ behaviour in cyber space, the difficulties in establishing or reaching an understanding on the interpretation of an international legal norm may as well render other such as political norms more relevant or beneficial.

The discussions held during the two workshops will be shaped into a research study to be published by the Centre by the end of 2014. Prof Paul Cornish from Exeter University will examine the role of political norms in establishing norms of behaviour in cyberspace, and prof Michael Schmitt from US Naval War College, Exeter University and Senior Fellow of the NATO CCD COE will study the development and related challenges of international legal norms.